Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Adware.Mac.WeDownload.1

Added to the Dr.Web virus database: 2015-09-15

Virus description added:

A downloader of affiliate software for OS X that has the following digital signature: "Developer ID Application: Simon Max (GW6F4C87KX)". The build folder path is as follows:

/Users/bogdancarmanus/Sites/download-manager-mac/DownloadManager/

The structure of the DMG image looks as follows:

Installer.app
.app

where ".app" indicates the configuration file encoded in base64 (the output string is encoded in utf-8) and encrypted with the RC4 algorithm. The configuration file can look as follows:

{
    "program_name": "Adobe Flash Player",
    "mirrors": ["http:\/\/fpdownload.macromedia.com\/get\/flashplayer\/pdc\/17.0.0.134\/install_flash_player_osx.dmg"],
    "api_key": "046073b03739711e23d9c307b94707b46e435467",
    "icon_url": "https:\/\/d1sx0cjuasqkw9.cloudfront.net\/installer-icons\/245\/046073b03739711e23d9c307b94707b46e435467.jpeg",
    "properties": {
        "program_name": "Adobe Flash Player",
        "prg": "7ltLcPzz_KAYIbT3rB0-wLaIytmcWoShM2U8I3yo8_K9HZfdYtzMPGsr4imyRhHz_MQa1mykPxKIf1OZ4HfsmUrhD4wsWABUbUrtKgiTptiN46xVxTRxO6ZW5epAVQl3vCYBUWhG_GN7KvVhQEyviVYYOUlcHA0pb7gRcN_E08HfrecprCGvemEb4xHF29ko9qshW2F4VDpEUS4b-wDBZPVm7owfXLNbrn35mKh5vrrOE2rs4IpBpje6XO_XGLGs"
    },
    "download_manager_identifier": 1442281855,
    "license": "",
    "version": "",
    "size": "",
    "file_name": "Adobe_Flash_Player.dmg",
    "disable_root": "false",
    "browser": "Google Chrome"
}

Once launched, Adware.Mac.WeDownload.1 prompts the user to grant it administrator privileges and sends consecutive requests to three command and control servers, whose addresses are hard coded in its body, to get data for the main application window. If none of the servers responds, the downloader terminates its work.

If Adware.Mac.WeDownload.1 gets a response, it sends the command and control server a POST request containing the downloader's configuration data in JSON format (JavaScript Object Notation). As a reply, the program receives an HTML page with the contents of the main window. The downloader adds a current time mark and a digital signature to all future GET and POST requests. The signature looks as follows:

s=<len>-<hash>r

where len indicates the length of signed data, hash indicates the hash of HMAC_SHA256 encrypted with the key that is hard coded in the program's body. Then the downloader sends the remote server a request for the list of files:

GET /eligibility.php?api_key=046073b03739711e23d9c307b94707b46e435467&os=mac&properties[program_name]=Adobe%20Flash%20Player&properties[prg]=7ltLcPzz_KAYIbT3rB0-wLaIytmcWoShM2U8I3yo8_K9HZfdYtzMPGsr4imyRhHz_MQa1mykPxKIf1OZ4HfsmUrhD4wsWABUbUrtKgiTptiN46xVxTRxO6ZW5epAVQl3vCYBUWhG_GN7KvVhQEyviVYYOUlcHA0pb7gRcN_E08HfrecprCGvemEb4xHF29ko9qshW2F4VDpEUS4b-wDBZPVm7owfXLNbrn35mKh5vrrOE2rs4IpBpje6XO_XGLGs&dl_id=1442281855&browser=Safari&os_version=10.9&t=1442327369&s=454-11a7d7d9739c3d34991058e8b3f8f4a999634ab6fe6614754be301520c74226br HTTP/1.1
Host: api.xtrdlapi.com
Referer: http://api.xtrdlapi.com/interface/mac/?v=4
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Accept-Language: en-us
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.78.2 (KHTML, like Gecko)

where api_key, dl_id, properties[program_name], and properties[prg] indicate parameters from the configuration file, browser indicates the default browser, and os_version indicates the OS version.

The server replies with a data block in JSON format (JavaScript Object Notation) containing the list of applications to be installed. The list can contain the following programs:

  • MacKeeper (Program.Unwanted.MacKeeper)
  • Crossrider (Mac.Trojan.Crossrider)
  • Genieo (Mac.Trojan.Genieo)
  • Conduit (Trojan.Conduit)
  • Advanced Mac Cleaner (Program.Mac.Unwanted.AMC)
  • Yahoo Search (the default search engine is changed to Yahoo with the partner's ID)
  • ZipCloud (Program.Mac.Unwanted.ZipCloud)
  • MacBooster (Program.Unwanted.MacBooster)
  • TuneUpMyMac (Program.Unwanted.TuneUpMymac)
  • PremierOpinion (Mac.BackDoor.OpinionSpy)
  • InstallCore (Adware.Mac.InstallCore)

The total number and types of programs depend on the victim's geolocation. If the list of applications is empty, the user will not be offered to install anything else except for their original choice.

News about this downloader

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android